iotdesign.embedded-computing.com
E M A G
2016 Volume 3 Number 1
Product Lifecycle Management Secrets for Success in the IoT PLUS
»» Building a Secure Internet of Things
Sponsored by ATP, Arena Solutions, Infineon, and Sealevel Systems
E M A G
FEATURING Secrets to success in the hot IoT space Discover how PLM unlocks the imagination of top IoT companies By John Papageorge, Arena Solutions
Building a secure Internet of Things Enabling innovation while providing safety and reliability By Steve Hanna, Infineon
Sponsored By
2014 OpenSystems Media, © Embedded Computing Design. All registered and ©©2016 OpenSystems Media, © Embedded Computing Design. All registered brands brands and trademarks trademarks within Medical the property their respective within the Internet ofthe Things E-magE-mag are theare property of their of respective owners. owners.
Secrets to success in the hot IoT space Discover how PLM unlocks the imagination of top IoT companies By John Papageorge
4
IoT Product Lifecycle Management
The “Internet of Things” (IoT) is a term you’ve probably read in the headlines. Analysts, such as IDC, forecast IoT revenues will reach $3 trillion in 2020 with 30 billion devices expected to be connected through the Internet. IPOs of IoT companies like Fitbit and GoPro, along with Google’s investment in driverless cars and $3.2 billion dollar acquisition of Nest’s smart thermostat system prove the IoT phenomenon is real. But as the volume of new IoT devices increases, product launch failure rates have scaled way past 50 percent, according to Gartner. This puts hundreds of billions of dollars at stake for electronics manufacturers. With such a high product design failure rate, IoT companies must now ponder these questions:
õõ õõ õõ õõ õõ
How can we manage our design processes or products better? Can we monetize aspects of the Internet of Things? Where can we use the Internet of Things to embed technologies for remote operation and management of our assets? How can we extend our existing products with the Internet of Things? What product design and supply chain management tools will best help us succeed?
To help companies become IoT successes, Arena Solutions, the inventor of cloud product lifecycle management (PLM), has published this definitive IoT whitepaper. With input from Arena customers, partners, and top IoT analysts, we share their first-hand insights into the following IoT product design topics:
õõ õõ õõ õõ õõ
Why you should care about IoT Lessons learned from the medical device IoT market How cloud PLM accelerates IoT’s need for speed How to turn disruptive change into IoT innovation Why IoT success depends upon a robust PLM ecosystem
Here’s what you need to know to unlock your imagination, turn design ideas into product realities, and make money in the IoT market.
Why you should care about IoT The Internet of Things is a product design megatrend that is impacting how both new and old companies innovate and turn designs into the next breakthrough. Yet for many electronic product companies on the outside looking in at the potential of the IoT market, one lingering question remains: What exactly is the “Internet of Things”? If you’re still confused about what the “Internet of Things” means and why you should care, you’re hardly alone. In fact, nearly half (43 percent) of the manufacturing executives polled recently by LNS Research said they don’t know anything about the IoT market. What’s more, only 10 percent say they’ve started to invest in IoT technologies. The concept of “Internet of Things” dates back almost a century. In 1926, Nikola Tesla said, “When wireless is perfectly applied, the whole earth will be converted into a huge brain, which in fact it is, all things being particles of a real and rhythmic whole ... and the instruments through which we shall be able to do this will be amazingly simple compared with our present telephone. A man will be able to carry one in his vest pocket.” As a modern working definition, Internet of Things is the advanced connectivity of devices, systems, and services over a variety of protocols, domains, and applications. “Things” in IoT can refer to a broad array of devices, such as heart monitoring implants, biochip transponders on farm animals, automobiles with built-in sensors, or field operation devices that assist firefighters in search and rescue. The interconnection of these embedded devices will usher in omnipresent automation in nearly all fields. As innovative product designers dream up countless ways to exploit the inherent connectivity that will be offered in intelligent products, you can bet
5
your sensor-covered shorts that an endless universe of new devices will explode upon the market. And as user-oriented computing expands, so will the Internet of Things market. From a product design perspective, the opportunity is big and the possibilities are endless. Sensors embedded in everything from buildings to vehicles to clothing are solving real life problems. An office that tells you the lights are on; a bike (or a dog) quietly alerts you that its been stolen with its location; dance aerobics shoes that can let you know when they’re worn out; and a couch could holler, belch, or burp depending upon your downloadable alert tone when it has swallowed your keys. Imagine how much easier Pee-Wee Herman’s quest to find his stolen bike would have been with an IoT solution. Michael Keer, CEO of Product Realization Group (PRG), a consortium of Silicon Valley experts that helps bring IoT product companies to market, believes the IoT market will impact every aspect of our lives and transform how we interact with both physical and digital worlds. “From virtual reality to self-driving cars to wearable devices, the opportunities are endless,” says Keer. “We are entering a quantified world, so hold on to your IoT hat.” And while Tesla’s vision for a “perfectly applied” wireless technology and “simple” tools has not as of yet proven to be totally accurate, there’s no doubt that the IoT market has become a viable reality with commercially successful deployments in several markets, ranging from consumer electronics and fitness wearables to medical devices. In the next wave of IoT development, we’ll see the aggregation of connected devices propagated into truly smart homes, smart factories, smart grids, and smart cities.
6
Internet of Things products introduced at the Consumer Electronics Show (CES) offer endlessly imaginative solutions, ranging from do-everything wearable devices to a connected tennis racket that records your strokes. Some products inevitably veer into the realm of bizarre, with the toothbrush that connects to the Web and records your brushing activity, letting you know when your teeth need a more thorough cleaning. On the other hand, there are healthcare IoT devices that serve a dead serious medical need.
Lessons learned from the medical device IoT market The Internet of Things market includes everything from consumer devices (refrigerators, clothes washers, door locks, thermostats, watches, eyeglasses, and wearable items) to cars and robots of all kinds. However, health and life sciences are one of the most compelling, yet unheralded, application areas of IoT technology; in fact, the healthcare industry helped pioneer IoT. All the way back in 2008, a company called Proteus Digital Health won a U.S. patent for a pill you can swallow with a tiny sensor inside of it. The sensor transmits data about when a patient takes his or her medication, and pairs with a wearable device to
••• Figure 1 Number of devices in the Internet of Everything. Source: BI Intelligence Estimates.
IoT Product Lifecycle Management
inform family members if it’s not taken at the right time. Anyone else old enough out there to remember the film “Fantastic Voyage”? With the increasing use of sensors by medical devices, remote and continuous monitoring of a patient’s health is becoming possible. This network of sensors, actuators and other real-time mobile communication devices, referred to as the Internet of Things for Medical Devices (IoT-MD), is poised to revolutionize the healthcare industry. A connected healthcare environment promotes the quick flow of information and enables easy access to it. Improved home care facilities and regular health updates to clinicians reduce the chances of redundant or inappropriate care, ensure patient care and safety, and reduce overall costs of care. Connected solutions can also be used to track lifestyle diseases such as hypertension, diabetes, and asthma, which need continuous monitoring. Peter Lucas, the COO of Epic Medical Concepts & Innovations (EMCI), a company that translates scientific research into IoT-ready medical devices, believes the IoT market introduces particularly exciting possibilities in the life sciences industry. Within the medical realm, the interconnection of technology is more useful than highly touted “big data” at identifying trends, improving response times, and locating small problems before they become big problems. “The idea that our medical devices can communicate with the lab hardware in which they operate in a meaningful, real-time manner is really exciting,” says Lucas. “It manifests into improving medical outcomes and finding new breakthroughs, especially for EMCI in the area of cognitive neuroscience.” EMCI’s most recent disruptive medical device technologies include systems that track physical patient records to reduce errors and speed retrieval time, as well as report on the status of biological specimens in a hospital setting. “We envision these IoT systems eventually sitting in hospitals all across the country and having the ability to communicate with each other,” says Lucas.
IoT-MD will drastically change the face of healthcare monitoring and treatment outcomes. By providing personalized and optimized services, it will promote a better standard of living and provide a timely and cost-effective response to help nations around the world improve patient care. Moreover, recent developments in sensor, Internet, cloud, mobility, and Big Data technologies have led to affordable medical devices and connected health programs, vastly increasing the potential to influence further changes. But IoT-MD design Nirvana is complicated by increasingly stringent regulation and compliance requirements. After all, human lives are at stake. “It’s one thing for your microwave to diagnose itself and call a repair tech; it’s another thing entirely to have medical information passing from device to device,” says Lucas. “I believe this will be an area that grows quickly, but will result in missteps along the way. I can almost guarantee there will be breaches of patient data, unanticipated consequences, etc. But on the other hand, interconnectivity of this type will also bring about medical innovations that would otherwise never happen.” For the IoT-MD market, a modern design solution that consolidates all compliance information, including bill of materials (BOM), the design history file (DHF), and the device master record (DMR) into one centralized system is imperative to meet increasingly stringent regulatory audits. FDA regulations and product quality business processes include: 21 CFR Part 11, 21 CFR Part 820, and corrective action and preventive actions (CAPA). And true, while compliance challenges are more treacherous in the IoT-MD space than other industries, the need to adopt disruptive change while juggling stringent quality concerns impacts IoT companies of all stripes.
How cloud PLM accelerates IoT’s need for speed While pain points, regulatory hurdles, and adoption rates can vary widely across industries, one challenge that impacts every IoT company is the critical
7
need to move fast. To ensure first mover advantage in a highly competitive industry, more and more IoT consumer electronics companies rely on a cloud-based product lifecycle management (PLM) solution to innovate while accelerating time to market. This is particularly true when products have complex embedded electronics with a high rate of change. A critical advantage of cloud PLM systems is that the solutions are maintained by the provider, which means setup ••• Figure 3a is easy and, most importantly, fast. And the flexibility to add More connected devices on the planet today than people. Source: Silicon Labs, Thomson Reuters, Morgan Stanley and subtract licenses and modules is key to becoming short-listed. On-premise PLM, on the other hand, has an expensive and time-intensive integration process, which requires software licenses and a significant upfront infrastructure investment. “What I see most often with IoT clients is that they want to get up and running quickly with basic functionality,” says Keer. “It’s part of the lean startup mentality. And as these companies grow in size and complexity, they need a solution in place that has the capabilities to support them as they scale, without ••• Figure 3b the need to switch during a critical business ramp. Companies don’t want to be burdened with the installation, schedules because they did not have the proper setup, and maintenance of on-premise computer tools in place to manage design data to meet their networks anymore.” original product delivery estimates. The speed of disruption is so fast in the IoT space, engineering teams must be rock solid in their delivery. Many failed emerging IoT companies are unable to meet aggressive design and delivery
8
According to Manny Marcano, president and CEO of EMA, a company that offers a design automation solution for Cadence OrCAD, “A lot of these companies are charging fast to grab a piece of the
IoT Product Lifecycle Management
IoT market. And a lot of times they’re starting with a back of the napkin design and a quick prototype to get some VC funding and then they’re off to the races,” says Marcano. “Companies in the IoT space are actually rolling out PLM at the same time they are building products and taking orders. So if you have a design solution that can be implemented quickly without a lot of overhead to get a consumer electronics stamp and FCC approval, that’s a big value to them.” For OEMs, the key to moving fast in the rapidly changing IoT market is maintaining rigor, discipline, and forward-looking strategies. Successful companies keep abreast of tech developments and make well-researched judgment calls about how and when to pull the trigger and adopt new innovations into a product design. However, companies without the vision and tools to respond to change and adopt new technologies quickly could lose the razor’s edge in this competitive high tech market. Innovation is the holy grail of many product companies as they seek to differentiate their products from those of competitors. Integration of quality processes into the design cycle through collaborative quality tools can give companies the competitive edge they seek. All it takes is a shift in thinking, a willingness to embrace user feedback, and a methodology to drive quality into the product development process.
How to turn disruptive change into IoT innovation Change happens fast and manufacturers must react quickly to embrace it. New technological developments impact product design and require OEMs to have the tools in place to streamline design processes. By minimizing costly product errors and shipping delays — especially for a sector with complex products and frequently changing parts, such as batteries — a cloud PLM solution helps companies get to market first, stake a larger market share, and maximize profit margins.
“Some of the biggest disruptions in IoT products are changes in electronic components,” says Keer. Sensors, controllers, and batteries are all rapidly evolving to better support new applications like wearables that need smaller and lower power consuming parts. After all, you wouldn’t want to buy a smart watch that weighs 10 lbs and runs out of juice in 4 hours.” PLM helps OEMs plan with the flexibility to be agile, make changes quickly, and implement based upon supply chain issues, tech advances, competition, and consumer demand. According to Keer, a cloud-based PLM solution is critical to keep track of these electronic components. A better understanding of which parts are going obsolete can provide a competitive edge for IoT companies. A strong PLM system enables the successful execution of a technology pivot, facilitates a contract manufacturer switch, and accelerates a new product launch. “As engineers collect components, operations would be adding those components into Arena PLM. They then can figure out lead time for each component, which impacts time to market,” says Keer. “So if an engineer selects a component that has a two-month lead time, operations may say, here’s an alternative part, which has a one-week lead time. This example drops straight to the bottom-line of time savings on their critical path, which has a direct correlation with collapsing time to market.” Most new IoT companies have global design and supply chains, which afford them greater flexibility during development and the ability to scale quickly as volumes ramp. Strong collaboration and management tools to support these global chains are now a musthave for these businesses. The old bootstrap combination of Microsoft Excel, DropBox, Google, etc. are too risky as these business move from idea to scale. IoT companies we interviewed unanimously concurred that a cloud-based PLM system offers OEMs the flexibility to be nimble, make changes quickly, and implement based on supply chain issues, tech
9
advances, competition, and consumer demand. The overwhelming consensus is that on-premise PLM simply cannot provide these benefits.
Why IoT success depends upon a PLM ecosystem
really shows itself,” says Lucas. “We know when we change a specification on one part of one of our devices, immediately what other parts, products, procedures, and manufacturing processes are affected. We can jump straight from there into Sierra Wireless, a leading engineering and docudeveloper of industryment change requests and leading wireless PC card orders, as those can interlines for portable computers, connect with our CAPA process within Arena Quality.” turned to Arena to reduce
The only way to manage the IoT product lifecycle – from regulatory compliance to global monitoring, quality assurance, risk manageengineering change orders ment, and part non-conforAn IoT company with design (ECOs) and streamline mance – is through a holistic tools that can store, conprocesses. “With Arena, approach that brings all trol, and communicate their of these moving parts it’s easy to track product product data across global together into a single, intechanges, and the amount of design and supply chains grated view. When quality, will help overcome design work we are able to achieve design control processes, challenges, such as security, with Arena is unbelievable,” and risk management are compliance, and corralling says Sierra Wireless. embedded as an intedisruptive change. gral part of the day-to-day product design and development cycle, OEMs “The need for product design tools has always been can dramatically reduce supply chain oversights, there, but now it’s increased because of the ubiquity employee missteps, and product design errors. of IoT products that will scale even more in the next five years,” says Kevin Rowett, Director of Graphite “A lot of these IoT companies are growing very Systems, which makes unified data analysis prodquickly and are looking for a ‘one-size-fits-all,’ ucts. “IoT electronics will now be in products that off-the-shelf, plug-and-play environment,” says previously did not have components. In five years, Marcano. “Because Arena and EMA are working a refrigerator that doesn’t report its temperature together, we’re able to address that need on the doesn’t make it to market anymore.” electrical side and the PLM side so we can get them up and running in a matter of hours, in some cases.” “When it comes to compliance stuff, you better have a design tool that ensures you have the documenA highly integrated and robust design system is tation that shows you actually are compliant with imperative to address hurdles, such as obsoles- these various things,” he continues. “We’ve learned cence, single-sourced components, regulation com- over the last 20 years that there’s a direct correlation pliance, and market availability of electronic com- between quality and design solutions.” ponents. Arena’s suite of interconnected solutions connected with the product record offers a higher It’s an exciting time for product companies. With the level of visibility into design processes to offset the right design tools in place they can streamline prorisks of quality failure. cesses, change directions, and meet demands for new opportunities in this booming market. “While Arena was helpful across a broad range of issues, the interconnection between Arena PLM By 2020, the amount of Internet-connected things BOMControl and Arena Quality is where the value will reach 50 billion, with $19 trillion in profits and
10
IoT Product Lifecycle Management
cost savings over the next decade, according to Cisco Systems.
most unconventional design ideas into the IoT’s next big thing.
PLM was created to allow all product companies — not just IoT OEMs — to better manage documents to streamline their extended supply chain efficiencies, improve cross-functional collaboration, and increase enterprise-wide visibility into the design process. In addition, Arena’s PLM applications simplify BOM and change management for organizations of all sizes, especially IoT companies.
John Papageorge, the author of “Secrets to success in the hot IoT space,” has worked with some of the biggest names in technology, including Oracle, IBM, Hewlett-Packard, Cisco, and Silicon Valley Bank, to analyze and communicate emerging business and technology trends.
By this very function alone — bolstered by the fact that we’re a cloud solution that eliminates setup delays — IoT companies can accelerate time to market with the ability to continuously manage costs, requirements, and design specifications from the early phases of the process.
arenasolutions.com
PLM helps IoT OEMs plan with the flexibility to be agile, make changes quickly, and implement based on supply chain issues, tech advances, competition, and consumer demand. By minimizing costly product errors and shipping delays — especially for a sector with frequently changing parts — Arena’s PLM solution helps IoT companies get to market first, stake out a larger market share, and maximize profit margins.
Arena Solutions
@ArenaSolutions www.linkedin.com/company/12524
www.facebook.com/arenasolutions
plus.google.com/u/0/+Arenasolutions/posts
www.youtube.com/user/Arenasolutions
And that’s why over 100 innovative IoT companies (Fitbit, Pebble, GoPro) rely on Arena to unlock their imagination, speed innovation, and tame even the
References:
“Gartner’s 2014 Hype Cycle for Emerging Technologies Maps the Journey to Digital Business.” Gartner’s 2014 Hype Cycle for Emerging Technologies Maps the Journey to Digital Business. Accessed August 08, 2016. http://www.gartner.com/newsroom/id/2819918. “Supply Chains Need to Be Ready for the Internet of Things.” Supply Chains Need to Be Ready for the Internet of Things. Accessed August 08, 2016. http://www.industryweek.com/supply-chain/supply-chains-need-be-ready-internet-things. “The Internet of Everything Is the New Economy.” Cisco. Accessed August 08, 2016. http://www.cisco.com/c/en/us/solutions/collateral/ enterprise/cisco-on-cisco/Cisco_IT_Trends_IoE_Is_the_New_Economy.html. “The Internet of Things Will Be a $3 Trillion Industry by 2020.” TechRadar. Accessed August 08, 2016. http://www.techradar.com/us/news/ internet/cloud-services/the-internet-of-things-will-be-a-3-trillion-industry-by-2020-1272263.
11
Building a secure Internet of Things Enabling innovation while providing safety and reliability By Steve Hanna
The emerging Internet of Things (IoT) presents tremendous opportunities for innovative companies to deliver products and services to make industry more efficient, transportation safer, and the everyday lives
12
of people more convenient and fulfilling. But with great good there also can be great risk. Remote, intelligent monitoring and control for factories, homes, cities, and cars can increase efficiency and
IoT Security
convenience. However, these same powerful tools can be misused by bad actors to disrupt critical infrastructure with dangerous and expensive results. At a personal level, the IoT potentially exposes our homes and personal information to malicious or criminal acts. Fortunately, security techniques developed over the last few decades for other areas can be applied to the IoT. These techniques have a proven track record of providing effective, cost-efficient protection while enabling continuing innovation. Many developers working in the IoT field are not security experts. They are experts in manufacturing, cars, home appliances, or other domains. These developers need to include security in their products, but this security must also meet their domain requirements. That is why experts in security solutions such as Infineon are engaging with the many domains affected by the IoT to ensure that strong and appropriate security is built in from the start. Building in security will protect the values of Safety, Reliability, and Privacy that we all care about (Figure 1).
1. Motivation The IoT may be the most important technology trend of the 21st century. By connecting billions of electronic sensors and control elements to each other and to interconnected networks, the IoT will contribute to increased efficiency, greater convenience, and improved lifestyles for every citizen of the world. The impact will be seen from factory floors to office buildings and retail stores, mass transport systems to connected cars, and in our own homes. As with past advances in technology, the IoT also has a dangerous side. Here is one possible scenario from the near future: Maria Solano*1 was not having a great day. Unusually heavy commute traffic made her 15 minutes late to work. A news report she heard during her morning break explained that the regional traffic coordination system experienced a computer crash that disabled traffic signal synchronization. During lunch, she was frustrated to be unable to login to her Internet-linked home video monitor to check on the doings of the twins. She called the nanny, who told her she had heard strange voices on the monitor and decided it was best to turn it off. She quickly called her husband (the family’s informal IT specialist) to ask what could have gone wrong. Then things got worse at the plant. An automated paint line on the shop floor began to randomly start/stop sprayers, causing an expensive line stop. Maria spent the afternoon working with her production manager and IT supervisor to track down what turned out to be planted malware. No one was sure, but it appeared that someone with knowledge of the network had altered production line control commands.
••• Figure 1 IoT security is about protecting the integrity of the principles of Safety, Reliability, and Privacy.
While driving home that evening (fortunately, with no flaws in the signal system) the evening news broadcast reported that the earlier traffic system crash had actually been a prank, which was discovered when one of the teenagers involved had gotten nervous and called it in to the local police. When she got home, her husband was busy boxing up the video 1
* Fictional person
13
baby monitor. He’d learned that an unreported back door in the monitor had been hacked and that the instructions for how to break in to the connection were freely available on the Internet. While Maria’s husband was confident they could find a more secure replacement, he was going to do a little more homework first. Could this really happen? In the following we will see how everything described in this short scenario has already occurred. We will also see that industry has the ability to manage and minimize such risks using proven approaches used today to protect other technologically advanced systems. Outlined are techniques that can be used to build trust into devices and systems. The requirements and available technologies to protect the physical infrastructure of the IoT are addressed; the devices (or things), servers that both store information and manage applications, and the network that ties systems together. In turn, this secured physical infrastructure will allow the successful implementation of policies to protect personal privacy and the data that is collected and used by the IoT.
2. Benefits of IoT
significant savings and exciting opportunities to further improve economic performance while making daily life more convenient and safer:
õõ
õõ
õõ
What is the IoT? Simply put – the combination of connected things and intelligent services. Everything from cars to clothes to factory machines is being networked. The number of connected devices is projected to grow at a rate of 15-20 percent per year for the next five years[1] with incremental annual revenue in the trillions of U.S. dollars and almost no market left untouched.[2] The benefits are tremendous, but not without risk. Remote, intelligent monitoring and control for factories, homes, cities, and transport can increase efficiency and safety. Yet these powerful tools can be misused by bad actors to disrupt either critical public infrastructure or personal and private systems with dangerous and expensive results. Let’s first look at the benefits of the IoT. These realworld deployments in the last few years have shown
14
õõ
Smart cities: The city of Los Angeles’ replacement of municipal street lighting with LED lamps led to annual savings of $8 million in electricity costs (60 percent reduction in energy use). Now, wireless connectivity to a network control center is expected to lead to further savings in maintenance while creating a dynamic system that improves safety.[3,4] Smart buildings: In New York, smart building technology is helping a real estate firm save approximately $1 million in operating costs in a single office building.[5] This savings will add up quickly; the City of New York estimates that as much as 75 percent of energy-related emissions in the city can be better managed through use of such smart building technology. Additionally, it was reported that the firm is working with technology providers to mirror these savings in smaller buildings it owns and ultimately find ways to make the technology available even to residential homes. Smart factories: A project at one Intel chip manufacturing plant reduced costs to test a single product line by $3 million annually. The pilot system analyzed information from machines, sensors, and factory staff to help the company improve the real-time control of manufacturing processes. Across all chips produced in the factory, the manufacturer estimates annual cost savings of $30 million. Similar IoT and big data analytics systems can be implemented in many other complex manufacturing processes.[6] Smart homes: Smart home devices, which today represent about 25 percent of IoT devices, will see sales increase from $61 billion in 2015 to $490 billion in 2019, with home automation and security applications leading the way. The impact is difficult to measure at this early stage, though a recent report highlighted particular value for senior citizens and persons with disabilities.[7]
IoT Security
õõ
Connected cars: The most dramatic example of how the IoT can impact personal safety has been in the area of connected car technology. One report includes an estimate that if 90 percent of all vehicles in the US were fully autonomous (self-driving), “as many as 4.2 million accidents could be avoided each year, saving 21,700 lives and $450 billion in related costs.”[8] It is believed that improved safety, as well as improvements in personal productivity and reduced stress from the transition to autonomous vehicles, outweighs the risk of the successful attacks on connected cars, recently demonstrated by several well-intentioned (“white hat”) researchers.
Infineon agrees that the already realized and potential future benefits across all economic sectors and in each of our daily lives make the move to a smart, interconnected world inevitable. It is vital, however, that industry and policy makers recognize and address the security risks of the IoT.
3. Risks of IoT The risks of IoT mirror those of any networked computer system. However, because the IoT will impact so many different sectors and have a role in controlling physical infrastructure and services, these risks are amplified. A successful attack on an IoT device or system can have significant impact on users, device manufacturers and service providers by affecting the physical as well as the cyber world. It may expose confidential information such as private user data as well as know-how, intellectual property and process intelligence. In addition, it can lead to interruption of operations, compromise of business continuity, and
endangerment of a company’s brand image, success, and very existence (Figure 2).
Why security is needed For policy makers, the principal concerns related to IoT risk mitigation are the protection of public safety and privacy. It is critical that networked systems controlling industrial and public infrastructure are protected from both accidental and malicious attacks. Personal information about individuals that are monitored by IoT devices while going about their daily lives or using such devices to monitor their own property also must be protected both from accidental exposure or deliberate theft with intent to misuse. With its potential to improve traffic flow, and thus both manage emissions and save fuel costs, automation of traffic management systems is a common initial project for IoT deployment in municipalities. Early implementations, however, have failed to exercise basic principles of system security and have been shown to be open to attack. In 2014, a white hat team of students at the University of Michigan took control of real, networked traffic signals and found that they could change the status of the lights (red, green, yellow) remotely. It was found that factory default settings were left unchanged and network commands were unencrypted.[9]
••• Figure 2 Major risks in the IoT include operational security, data security, and brand and business case security.
15
In December 2014, the German Federal Office for Information Security reported a cyber attack on a steel mill. Beginning with a penetration of the mill’s office computer network, the unidentified attackers were able to cause “massive damage� by compromising the industrial control network and preventing a blast furnace from being shut down properly.[10] While many details of this successful attack are unknown, it is likely that companies with similar automation systems are now closely examining security guidance and actual practice. A first-of-its-kind attack that caused a loss of electrical power to customers was reported by utility companies in the Ukraine at the end of December 2015. More than 80,000 customers of at least one Ukrainian power distribution company lost service for several hours. While the cause of the outages is still being investigated, it appears that three different strategies were used to gain control of internal systems at the utility, indicating a high degree of planning involved in the attack.[11] The rush to the IoT for home monitoring and security also appears to have outpaced principles of design for security. A vulnerability study conducted by security researchers in the summer of 2015 found serious security flaws in every one of nine Internet-connected baby monitors it tested.[12] The researchers noted that every camera had a backdoor that would allow intruder access. Additional security flaws included the use of default passwords, easily accessed Internet portals, and lack of encryption. Hackers have created websites featuring thousands of discovered insecure webcams for curious peepers. One final example of the risks that arise when everyday devices are connected to the Internet was reported in early 2014 by researchers in Silicon Valley. In a one-month study of spam messages, the researchers were able to trace spam email to smart appliances, including a refrigerator that had been hacked and used to send spam.[13] Consumers cannot, and should not, be expected to know about and maintain the security status of net-connected home appliances. Appliances, and
16
other devices on the IoT, must be designed with provisions for security that last for the lifetime of the product.
4. Managing and reducing risks The types of risk associated with the IoT vary depending on the application (i.e., smart home, Industry 4.0, connected car, Information & Communication Technology, etc.). However, the methods of attacks are common across the range of systems. Eavesdropping attacks are aimed at discovering information (which may then be used in future attacks). Other attacks involve subverting or impersonating the server to send bad commands, or injecting false information from devices with the intent to cause an unwanted response or hide a physical attack. Clearly, the consequences of eavesdropping vary depending on the IoT application (Figure 3). For an individual, invasion of privacy could escalate to personally catastrophic consequences. If the attack is industrial spying, it may lead to theft of intellectual property or be a precursor to an attack on a plant or other operations. Injection of fake commands can be an annoyance to a home dweller, cause commercial loss to a company, or seriously damage critical infrastructure. Conversely, causing a device to inject false information into the network can easily have negative consequences. Just as the risks of the IoT mirror other networked technologies, appropriate security responses to protect digital systems have been demonstrated and are relatively well understood. And, while there is no single solution to IoT security, there are commonalities in the approach across the many different application scenarios. In every case, the goal of security is to prevent unauthorized reading, copying, and analysis of digital information and to avoid direct manipulation of the protected system. This can be accomplished with a spectrum of techniques that range from a software-only approach to the use of robust hardware-based security that is specifically designed to resist even determined attacks by bad actors with access to sophisticated resources.
IoT Security
••• Figure 3 Eavesdropping is one type of threat that can compromise vulnerable IoT systems.
Assessing risk IoT security should be evaluated using a risk-based approach in which increasing levels of protection are applied as overall risk to the system or the information contained in the system increases. A scalable security implementation can be designed to protect each device in a way that isolates simpler, lower cost devices on the edge of the network and builds higher level security at critical points. Risk analysis also considers the security both of the entire networked system and the many devices that will or could be connected to that system. When devices are linked in a communication network, every linked device represents an attack surface. Even a simple smart light bulb that is controlled via a wired or wireless link can be an entry point for either a nuisance or more serious attack on an IoT system.[14] With nearly 30 years of experience in the field of security for embedded systems, Infineon and its customers have learned that a software-only approach to protecting systems from malicious attacks leaves both the individual device and larger networked system at
risk. Hardware security provides a critical layer of protection appropriate to the risk level of the many different devices that make up the IoT. This critical layer revolves around the concept of a “Root of Trust,” which is a secured area that resides on a computer chip and provides a memory and processing environment that is isolated from the rest of the system. The Root of Trust is shielded from malicious attacks and thus provides security for the other operating layers of the computing system that it protects.
5. Best practices for IoT security Security for the IoT revolves around three main concepts: Confidentiality, Identity, and Integrity (Figure 4, page 18). These concepts can be expressed as questions:
õõ õõ õõ
Is the transfer and storage of sensitive data protected? Are the components of the IoT system (device, server, etc.) what they claim to be, or are they digitally disguised? Have the components been compromised or infected?
17
A Root of Trust is the best way that these questions can be positively answered. The Root of Trust is a security chip hardened against attacks and
integrated into the IoT device, network, or server. Depending on the intended application, the chip used can provide different levels of protection that fulfill some or all of the roles for hardware security illustrated in Figure 5. The lowest level of risk in an IoT system may be a non-programmable end node that simply relays sensor data to some type of gateway or local server that verifies the source and includes the input in its operating data. Even at this level, a low-cost authentication chip with a single pre-programmed identity provides a way to confirm identity throughout the device lifecycle. This also helps to prevent the proliferation of cloned devices at the edge of the network. If there is a requirement that the transmitted data be encrypted or that the device be resold or reconfigured, additional protected storage of keys and certificates should be considered.
••• Figure 4 Confidentiality, Identity, and Integrity are the three main concepts behind robust security for the IoT.
••• Figure 5 Chip-based hardware security can be used to fulfill different levels of IoT security.
18
The data and commands that flow between devices and servers should be encrypted sufficiently to resist attempts at eavesdropping and false command
IoT Security
injection. This requires cryptographic computation capability at both ends, which can be scaled to suit the level of risk. Even at the lowest level of functionality, hardware-based security uses cryptographic mechanisms to protect secret data. The cryptographic algorithm can be implemented running on a general-purpose MCU, but it is advisable for the devices themselves to have at least basic tamper-resistant capability and cryptographic functionality. Such protections are already widely implemented in chips such as those used in credit cards. These chips protect themselves and can even automatically erase their memory if tampering is detected. IoT security benefits from a holistic approach that provides for security throughout the lifecycle of every device used in the system. In systems that use large numbers of low-cost devices, secure hardware supply chains support shipping chips directly from the chip manufacturer to the point of assembly. With a preprogrammed identity, the chips then can register themselves “over the air” when turned on. It is easier to defend against intrusion and subversion if each device is fitted with a security key at a central point of control.
IoT security solutions are available All these techniques (tamper-resistant circuits, authentication, and encryption) have been used previously in other systems but are not yet routinely considered for IoT. Infineon believes the benefits of hardware-based
security – including better performance, improved security (including tamper resistance), and security partitioning (protection against bugs in operating system and application code) – make a strong case for using this technology in the IoT. Infineon is a leader in providing security for the connected world. The company has shipped more than 20 billion secure ICs worldwide in the last 25 years and is ranked by market researchers at IHS as number one in embedded security.[15] The company has a broad portfolio with different product families established to match different system requirements. Security for embedded systems can be provided by the OPTIGA™ product family, comprising the OPTIGA™ Trusted Platform Module (TPM) as a standardized, feature-rich security solution, and the OPTIGA™ Trust family with turnkey or programmable solutions. For secured machine-to-machine (M2M) communication via cellular wireless, Infineon offers the SLM 76 and SLM 97 SOLID FLASH™ products for industrial applications and the SLI 76 and SLI 97 for automotive applications such as emergency call (eCall) services, software updates over the air, and car-to-car communications. These security ICs are very robust, have extended temperature range specifications, and are qualified for industrial and automotive standards. In the emerging segment of smart wearable devices, Infineon provides embedded Secure
••• Figure 6 A range of Infineon security ICs are available to meet the requirements of various markets and applications.
19
Element (eSE) and Boosted NFC Secure Element ICs. Additionally, select security ICs from Infineon support the latest FIDO 1.0 specifications for secure online authentication.
Infineon
www.infineon.com/IoT-Security www.infineon.com
More information on the many uses of security ICs and Infineon’s product portfolio is available at www.infineon.com/IoT-Security. Steve Hanna is Senior Principal, Technical Marketing at Infineon.
@Infineon4Engi
www.facebook.com/infineon4engineers
plus.google.com/101438823788097791940/posts
www.youtube.com/user/InfineonTechnologies References:
1. “The Internet of Things: Sizing up the opportunity.” http://www.mckinsey.com/insights/high_tech_telecoms_internet/the_internet_of_ things_sizing_up_the_opportunity. 2. “Internet of Things By The Numbers: Market Estimates and Forecasts.” http://www.forbes.com/sites/gilpress/2014/08/22/internet-ofthings-by-the-numbers-market-estimates-and-forecasts/. 3. “Los Angeles to upgrade street lights with GPS.” http://www.fiercewireless.com/tech/story/los-angeles-upgradestreet-lights-gps/2015-05-14. 4. “LA’s Street Lights Can Now Be Wirelessly Controlled.” http://gizmodo.com/las-street-lighting-will-becontrolled-by-a-wireless-ne1696359821?utm_expid=66866090-62._DVNDEZYQh2S4K00ZSnKcw.0&utm_referrer=https%3A%2F%2Fwww.google.com%2F. 5. “New system lets buildings learn from energy use.” http://www.capitalnewyork.com/article/cityhall/2014/12/8558111/new-system-lets-buildings-learnenergy-use. 6. “IoT and Big Data Analytics Pilot Bring Big Cost Savings to Intel Manufacturing.” https://blogs.intel.com/iot/2014/09/28/iot-big-data-analytics-pilot-bring-big-cost-savings-intel-manufacturing/. 7. “IoT Innovations Offer Essential Benefits for People with Disabilities.” http://www.aapd.com/resources/power-gridblog/iot-innovations. html?referrer=https://www.google.com/. 8. “Driverless Cars: The Car Hack Security Challenge.” http://destinhaus.com/driverless-cars-the-car-hack-security-challenge/. 9. “Hacking Traffic Lights with a Laptop is Easy.” http://www.networkworld.com/article/2466551/microsoft-subnet/hackingtraffic-lightswith-a-laptop-is-easy.html. 10. “German Steel Mill Meltdown: Rising Stakes in the Internet of Things.” https://securityintelligence.com/german-steel-mill-meltdownrising-stakes-in-the-internet-of-things/. 11. “Everything We Know About Ukraine’s Power Plant Hack.” http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/. 12. “Watch Out, New Parents – Internet Connected Baby Monitors are Easy to Hack.” http://fusion.net/story/192189/internet-connected-baby-monitors-trivial-to-hack/. 13. “What Do You Do If Your Refrigerator Begins Sending Malicious Emails?” http://www.npr.org/sections/alltechconsidered/2014/01/16/263111193/refrigerator-hacked-reveals-internet-of-things-security-gaps. 14. “Why Lightbulbs Will be Hacked.” http://www.eetimes.com/author.asp?section_id=36&doc_id=1327843. 15. “IHS TECHNOLOGY Insight Report: Embedded Digital Security Report – 2016 December 2015”. http://www.ihs.com.
20
NO COMPROMISE COMPUTING SOLUTIONS COM Express Modules Give your application the solution it deserves. Sealevel’s Computer on Module system designs combine the advantages of custom design with the convenience of COTS. COM Express modules offer a selection of processors ranging from powerful multi-core Intel i7 and i3 to the popular Atom. Low power designs eliminate the need for cooling fans, greatly enhancing system reliability. Extended temperature models are available offering -40C to +85C operating temperature range. COM Express modules contain the core computer functionality most affected by changing technology. Since the modules are based on an industry standard specification, COM Express systems are easily updated to stay current with the latest technology. • Variety of Processors and Form Factors • Application Specific I/O • Rugged, Solid State Operation • Vibration Resistance • Extended Operating Temperature • Long-term Availability • Superior Life Cycle Management
COM EXPRESS QUICKSTART KIT The 121004-KT provides everything you need to get your COM Express project off to a fast start. Powered by a 1.8GHz Intel Atom N2800 CPU with 4GB RAM and integrated heatsink, the QuickStart kit includes an installed 2.5" 32GB SATA solid-state disk. Standard features include five USB 2.0, two RS-232, one RS-485, dual Gigabit Ethernet, SATA, DisplayPort and audio interfaces. To interface the RS-485 port, a 10-pin IDC to DB9M serial cable is included. The carrier board and module are powered by the included 100-240VAC to 24VDC external power supply with US power cord. The QuickStart kit simplifies software development and prototyping while the target application carrier board is designed. Take advantage of Sealevel’s carrier board development services for the fastest time to market.
sealevel.com • 864.843.4343 • sales@sealevel.com
E M A G
Sponsors
Š 2016 OpenSystems Media, Š Embedded Computing Design. All registered brands and trademarks within the IoT E-mag are the property of their respective owners.